// Exam Overview
| Detail | Value |
|---|
| Exam code | SY0-701 |
| Number of questions | Up to 90 (multiple choice + performance-based) |
| Duration | 90 minutes |
| Passing score | 750 out of 900 |
| Recommended experience | 2 years IT with a security focus, CompTIA Network+ recommended |
| Renewal | Every 3 years via CEs or retake |
Domain 1
General Security Concepts � 12%
Domain 2
Threats, Vulnerabilities & Mitigations � 22%
Domain 3
Security Architecture � 18%
Domain 4
Security Operations � 28%
Domain 5
Security Program Management & Oversight � 20%
// Domain 1 � General Security Concepts (12%)
CIA Triad
| Principle | Definition | Example control |
|---|
| Confidentiality | Only authorised parties can access information | Encryption, access controls, MFA |
| Integrity | Data is accurate and has not been tampered with | Hashing, digital signatures, version control |
| Availability | Systems and data are accessible when needed | Redundancy, backups, DDoS mitigation |
Authentication factors
| Factor | What it is | Examples |
|---|
| Something you know | Knowledge factor | Password, PIN, security question |
| Something you have | Possession factor | Smart card, hardware token, OTP app |
| Something you are | Inherence factor | Fingerprint, facial recognition, iris scan |
| Somewhere you are | Location factor | Geolocation, IP restriction |
| Something you do | Behaviour factor | Typing pattern, gait analysis |
Encryption types
| Type | Key model | Examples | Use case |
|---|
| Symmetric | Same key for encrypt & decrypt | AES, 3DES, RC4 | Fast � bulk data encryption |
| Asymmetric | Public/private key pair | RSA, ECC, Diffie-Hellman | Key exchange, digital signatures, PKI |
| Hashing | One-way, no key | SHA-256, MD5 (insecure), bcrypt | Integrity verification, password storage |
Key controls to know
| Control type | Definition | Examples |
|---|
| Preventive | Stops an incident happening | Firewall, MFA, encryption, access control |
| Detective | Identifies when an incident has occurred | IDS, SIEM, audit logs, cameras |
| Corrective | Reduces impact / restores after incident | Backups, patch management, IR plan |
| Deterrent | Discourages attackers | Warning banners, security cameras, policies |
| Compensating | Alternative when primary control can't be used | Network isolation for unpatched legacy system |
| Directive | Tells people what to do | Policies, procedures, training |
// Domain 2 � Threats, Vulnerabilities & Mitigations (22%)
Malware types
| Type | Definition |
|---|
| Virus | Attaches to legitimate files and spreads when the file is run � requires host file, user action to spread |
| Worm | Self-replicates across networks without user interaction � exploits vulnerabilities automatically |
| Trojan | Disguised as legitimate software � creates backdoor, RAT, or drops additional malware |
| Ransomware | Encrypts files and demands payment for decryption key |
| Rootkit | Hides malware, processes, or attacker presence at OS or kernel level |
| Keylogger | Records keystrokes � captures credentials, sensitive data |
| Spyware | Monitors user activity and sends data to attacker without consent |
| Botnet | Network of infected hosts controlled by a C2 server � used for DDoS, spam, cryptomining |
| Logic bomb | Triggers malicious action when a specific condition is met (date, event, login) |
Attack types to know
| Attack | How it works |
|---|
| SQL Injection | Malicious SQL injected via input fields � manipulates database queries |
| XSS (Cross-Site Scripting) | Malicious script injected into web pages viewed by other users |
| CSRF | Forces authenticated user to perform unintended actions on a trusted site |
| Buffer overflow | More data written to a buffer than it can hold � overwrites adjacent memory |
| Man-in-the-Middle (MitM) | Attacker intercepts and potentially modifies communication between two parties |
| Pass-the-Hash | NTLM hash used to authenticate without knowing the plaintext password |
| Kerberoasting | Service ticket requested and cracked offline to get service account password |
| Credential stuffing | Leaked username/password combos tried at scale against multiple services |
| Birthday attack | Exploits hash collision probability � finds two inputs producing the same hash |
| Rainbow table attack | Pre-computed hash table used to reverse hash values � mitigated by salting |
// Domain 3 � Security Architecture (18%)
Network security concepts
| Concept | Definition |
|---|
| DMZ (Demilitarised Zone) | Network segment between internal network and internet � hosts public-facing services (web servers, mail) |
| Zero Trust | Never trust, always verify � every access request authenticated and authorised regardless of location |
| Network segmentation | Dividing a network into isolated segments using VLANs or firewalls � limits lateral movement |
| Microsegmentation | Fine-grained segmentation extending to individual workloads � common in cloud and SDN environments |
| Air gap | Physical isolation � no network connection to external systems |
| VPN (Virtual Private Network) | Encrypted tunnel over an untrusted network � site-to-site or remote access |
| SD-WAN | Software-defined WAN � manages multiple WAN links with centralised control and policy |
| SASE | Secure Access Service Edge � converges networking and security into a cloud-delivered service |
Cloud security
| Model | Provider manages | Customer manages |
|---|
| IaaS (Infrastructure) | Physical, network, hypervisor | OS, middleware, runtime, apps, data |
| PaaS (Platform) | Physical through runtime | Applications and data |
| SaaS (Software) | Everything | Data and user access |
// Domain 4 � Security Operations (28%)
Domain 4 is the largest and covers day-to-day SOC and security operations work. High weight � spend the most time here.
Incident response phases
| Phase | Key activities |
|---|
| 1. Preparation | IR plan, tools, team training, playbooks, communication channels |
| 2. Detection & Analysis | Alert triage, log analysis, determine scope and severity, declare incident |
| 3. Containment | Short-term containment (isolate), evidence preservation, long-term containment |
| 4. Eradication | Remove malware, patch vulnerability, reset credentials |
| 5. Recovery | Restore systems, verify clean state, monitor for re-infection |
| 6. Lessons Learned | Post-incident review, update playbooks, improve detection |
Vulnerability management
| Term | Definition |
|---|
| CVE | Common Vulnerabilities and Exposures � unique identifier for a known vulnerability |
| CVSS | Common Vulnerability Scoring System � 0�10 severity score based on exploitability and impact |
| Zero-day | Vulnerability unknown to the vendor � no patch exists at time of exploitation |
| Patch management | Process for identifying, testing, and deploying patches across the environment |
| Vulnerability scan | Automated scan identifying known vulnerabilities � non-intrusive, no exploitation |
| Penetration test | Authorised simulated attack � actively exploits vulnerabilities to demonstrate real impact |
Digital forensics order of volatility
Collect the most volatile evidence first � it disappears fastest.
| Order | Source |
|---|
| 1 | CPU registers, cache |
| 2 | RAM (running processes, network connections, open files) |
| 3 | Swap / pagefile |
| 4 | Network state (ARP cache, routing table) |
| 5 | Running processes |
| 6 | Disk (filesystem, logs) |
| 7 | Remote logging and monitoring data |
| 8 | Physical configuration, network topology |
| 9 | Archival media (backups, optical) |
// Domain 5 � Security Program Management & Oversight (20%)
Risk management
| Term | Definition |
|---|
| Risk | Likelihood � Impact � the potential for harm from a threat exploiting a vulnerability |
| Threat | Potential cause of an incident (attacker, natural disaster, insider) |
| Vulnerability | Weakness that could be exploited by a threat |
| Risk acceptance | Acknowledging and accepting the risk without additional controls |
| Risk avoidance | Eliminating the activity that creates the risk |
| Risk transference | Shifting risk to a third party � cyber insurance, outsourcing |
| Risk mitigation | Implementing controls to reduce likelihood or impact |
| SLE | Single Loss Expectancy = Asset Value � Exposure Factor |
| ALE | Annual Loss Expectancy = SLE � Annual Rate of Occurrence |
Compliance frameworks
| Framework / Regulation | Scope |
|---|
| NIST CSF | Cybersecurity framework � Identify, Protect, Detect, Respond, Recover |
| ISO 27001 | International ISMS standard � risk-based approach to information security |
| PCI DSS | Payment Card Industry � organisations handling cardholder data |
| HIPAA | US healthcare � protecting patient health information (PHI) |
| GDPR | EU � personal data protection and privacy rights |
| SOC 2 | Service organisation controls � security, availability, confidentiality, privacy |
// Key Acronyms
| Acronym | Full form |
|---|
| AAA | Authentication, Authorisation, Accounting |
| ACL | Access Control List |
| BYOD | Bring Your Own Device |
| CASB | Cloud Access Security Broker |
| DAC | Discretionary Access Control |
| DLP | Data Loss Prevention |
| EDR | Endpoint Detection and Response |
| HSM | Hardware Security Module |
| IAM | Identity and Access Management |
| IDS / IPS | Intrusion Detection / Prevention System |
| MAC | Mandatory Access Control |
| MDM | Mobile Device Management |
| MFA | Multi-Factor Authentication |
| NAC | Network Access Control |
| PKI | Public Key Infrastructure |
| RBAC | Role-Based Access Control |
| SIEM | Security Information and Event Management |
| SOAR | Security Orchestration, Automation and Response |
| SOC | Security Operations Centre |
| TTP | Tactics, Techniques, and Procedures |
| UAT | User Acceptance Testing |
| UEBA | User and Entity Behaviour Analytics |
| WAF | Web Application Firewall |
// Exam Tips
Domain 4 is 28% of the exam. Security Operations is the biggest domain � prioritise it. Focus on incident response phases, threat hunting, log analysis, vulnerability management, and digital forensics concepts.
Performance-based questions (PBQs) appear first. These are drag-and-drop, simulation, or scenario questions. They take longer � if you're stuck, flag and come back. Don't let one PBQ eat up 20 minutes.
Read every answer before choosing. Security+ loves "best answer" questions where multiple options are technically correct � the right answer is the most appropriate for the given scenario and security principle.
Know your acronyms cold. The exam doesn't always spell out what acronyms stand for. If you see CASB, UEBA, or SOAR in a question and you don't know what they mean, you can't answer it correctly.
Think like a security professional, not a hacker. Security+ tests your ability to select appropriate security controls and respond correctly � not how to exploit systems. When in doubt, the least-privilege, most-controlled option is usually correct.